axiom-security

star 977

Use when storing credentials securely, encrypting data, implementing passkeys, securing AI/agentic features against prompt injection, code signing, or managing certificates and provisioning profiles.

CharlesWiltgen By CharlesWiltgen schedule Updated 6/12/2026
play_arrow Run Skill in Manus View GitHub

name: axiom-security description: Use when storing credentials securely, encrypting data, implementing passkeys, securing AI/agentic features against prompt injection, code signing, or managing certificates and provisioning profiles. license: MIT

Security & Credentials

You MUST use this skill for ANY keychain, encryption, passkey, app integrity, agentic/AI feature security, file protection, or code signing work.

Quick Reference

Symptom / Task Reference
Store tokens, passwords, API keys securely See skills/keychain.md
Choose kSecAttrAccessible level, biometric protection See skills/keychain.md
SecItem function signatures, attribute constants See skills/keychain-ref.md
errSecDuplicateItem, errSecItemNotFound, errSecInteractionNotAllowed See skills/keychain-diag.md
Encrypt data, sign payloads, key management See skills/cryptokit.md
Hash functions, HMAC, AES-GCM, ChaChaPoly, ECDSA, EdDSA, key agreement See skills/cryptokit-ref.md
Passkey sign-in, WebAuthn, ASAuthorizationController See skills/passkeys.md
One-time code AutoFill for credential providers OS27 See skills/passkeys.md (Delivered Verification Codes)
App integrity verification, DCAppAttestService, fraud metric See skills/app-attest.md
Prompt injection, securing AI agents / agentic features, tool confirmation See skills/agentic-security.md
NSFileProtection levels, data protection at rest See skills/file-protection-ref.md
Certificate management, provisioning profiles, CI/CD signing See skills/code-signing.md
Certificate not found, profile mismatch, entitlement errors See skills/code-signing-diag.md
Certificate CLI, profile inspection, entitlement extraction See skills/code-signing-ref.md
Apple Pay payment certs / pass type certs / Tap to Pay entitlement See axiom-payments suite

Decision Tree

digraph security {
    start [label="Security task" shape=ellipse];
    what [label="What do you need?" shape=diamond];

    start -> what;
    what -> "skills/keychain.md" [label="store/retrieve\ncredentials, tokens,\nsecrets"];
    what -> "skills/keychain-ref.md" [label="SecItem API syntax,\nattribute constants,\naccess levels"];
    what -> "skills/keychain-diag.md" [label="keychain errors\n(errSec codes)"];
    what -> "skills/cryptokit.md" [label="encrypt data,\nsign payloads,\nSecure Enclave keys"];
    what -> "skills/cryptokit-ref.md" [label="CryptoKit API\n(AES, ECDSA, HPKE,\npost-quantum)"];
    what -> "skills/passkeys.md" [label="passkey sign-in,\nreplace passwords"];
    what -> "skills/app-attest.md" [label="app integrity,\nfraud prevention"];
    what -> "skills/agentic-security.md" [label="AI agent security,\nprompt injection"];
    what -> "skills/file-protection-ref.md" [label="file encryption,\nNSFileProtection"];
    what -> "skills/code-signing.md" [label="set up signing,\nprofiles, CI/CD"];
    what -> "skills/code-signing-diag.md" [label="signing errors,\nupload rejections"];
    what -> "skills/code-signing-ref.md" [label="CLI commands,\nprofile inspection"];
}
  1. Store tokens, passwords, API keys securely? → skills/keychain.md 1a. Need SecItem function signatures, attribute constants? → skills/keychain-ref.md 1b. Keychain errors (errSecDuplicateItem, errSecItemNotFound)? → skills/keychain-diag.md
  2. Encrypt data, sign payloads, manage keys? → skills/cryptokit.md 2a. Need CryptoKit API details (AES-GCM, ECDSA, HPKE, post-quantum)? → skills/cryptokit-ref.md
  3. Implement passkey sign-in, replace passwords? → skills/passkeys.md
  4. Verify app integrity, prevent fraud? → skills/app-attest.md
  5. Securing an agentic/AI feature (prompt injection, tool confirmation, lock-screen intents)? → skills/agentic-security.md
  6. File encryption at rest, NSFileProtection levels? → skills/file-protection-ref.md
  7. Set up code signing, manage certificates, CI/CD? → skills/code-signing.md 7a. Code signing error troubleshooting? → skills/code-signing-diag.md 7b. Certificate CLI commands, profile inspection? → skills/code-signing-ref.md
  8. Build/upload failures after signing? → See axiom-build
  9. App Store submission prep? → /skill axiom-shipping
  10. Privacy manifests, tracking transparency? → See axiom-integration
  11. Data persistence (SwiftData, Core Data, storage strategy)? → /skill axiom-data
  12. TLS configuration, certificate pinning for network requests? → /skill axiom-networking
  13. Want automated security scan? → security-privacy-scanner (Agent)

Conflict Resolution

security vs axiom-build: When build fails with signing errors:

  • Code signing errors (certificate, profile, entitlement) → use security
  • Environment issues (Xcode version, simulator, Derived Data) → use axiom-build
  • If unsure, check the error message: CODESIGN, ITMS-90xxx, errSecsecurity

security vs shipping: When preparing for App Store:

  • Privacy manifests, submission checklists, rejections → use shipping
  • Code signing for distribution, certificate management → use security

security vs axiom-data: When storing sensitive data:

  • Tokens, passwords, API keys → use security (keychain)
  • User preferences, non-sensitive settings → use axiom-data (UserDefaults/SwiftData)
  • File encryption levels for database files → use security (file-protection-ref)
  • SQLite-specific Data Protection (.db/-wal/-shm trio, widget-while-locked access) → See axiom-data (skills/grdb-app-groups.md) §4

security vs axiom-networking: When securing network communication:

  • TLS configuration, certificate pinning → use axiom-networking
  • Signing API requests, encrypting payloads → use security (CryptoKit)

Critical Patterns

Keychain (skills/keychain.md):

  • SecItem mental model: uniqueness constraints, data protection classes
  • Biometric access control (Face ID / Touch ID)
  • Keychain sharing between app and extensions
  • Background access pitfalls, Mac keychain differences
  • Migration from UserDefaults/@AppStorage for sensitive data

Keychain API (skills/keychain-ref.md):

  • SecItemAdd/CopyMatching/Update/Delete signatures
  • Item class attributes, uniqueness constraint rules
  • kSecAttrAccessible levels and when each applies
  • Access control flags, biometric integration
  • Complete error code reference

Keychain Diagnostics (skills/keychain-diag.md):

  • errSecDuplicateItem from unexpected uniqueness constraints
  • errSecItemNotFound despite item existing (query mismatch)
  • errSecInteractionNotAllowed in background contexts
  • Access group and entitlement mismatches
  • Items disappearing after app updates

CryptoKit (skills/cryptokit.md):

  • AES-GCM and ChaChaPoly authenticated encryption
  • ECDSA/EdDSA digital signatures
  • Secure Enclave hardware-backed keys
  • Key agreement (ECDH) for end-to-end encryption
  • HPKE for modern asymmetric encryption
  • Post-quantum algorithms (ML-KEM, ML-DSA)
  • CommonCrypto migration path

CryptoKit API (skills/cryptokit-ref.md):

  • Hash functions (SHA-256/384/512, SHA-3), HMAC
  • Symmetric encryption (AES-GCM, ChaChaPoly)
  • Asymmetric signing (P256, P384, P521, Curve25519, Ed25519)
  • Key agreement, key derivation (HKDF)
  • Secure Enclave key creation and usage
  • Swift Crypto cross-platform parity

Passkeys (skills/passkeys.md):

  • ASAuthorizationController registration and assertion flows
  • AutoFill-assisted requests (QuickType bar integration)
  • Automatic passkey upgrades for existing users (iOS 18+)
  • Combined credential requests (passkey + password + Sign in with Apple)
  • Associated domains configuration for WebAuthn

App Attest (skills/app-attest.md):

  • DCAppAttestService attestation and assertion flows
  • Server-side validation of attestation objects
  • macOS support + tampering signals (extensions, key access control) from the 27 cycle
  • Fraud metric as an investigation signal
  • DeviceCheck 2-bit per-device state
  • Gradual rollout strategies for large install bases
  • Handling unsupported devices gracefully

Agentic Security (skills/agentic-security.md):

  • Threat modeling agentic features (indirect prompt injection, Lethal Trifecta)
  • Deterministic vs probabilistic mitigations (redaction, spotlighting, confirmation, unlock gating)
  • Foundation Models lifecycle modifiers (.onToolCall confirmation, .historyTransform)
  • App Intents authenticationPolicy and schema risk metadata

File Protection (skills/file-protection-ref.md):

  • NSFileProtection levels (complete, completeUnlessOpen, afterFirstUnlock, none)
  • Hardware-accelerated encryption tied to device passcode
  • Background file access requirements
  • Keychain vs file protection comparison

Code Signing (skills/code-signing.md):

  • Automatic vs manual signing tradeoffs
  • Certificate and profile management across teams
  • fastlane match for team-wide certificate sharing
  • CI/CD signing setup (GitHub Actions, Xcode Cloud)
  • Distribution build preparation (App Store, TestFlight, Ad Hoc)

Code Signing Diagnostics (skills/code-signing-diag.md):

  • Certificate issues (expired, missing, wrong type, revoked)
  • Provisioning profile issues (expired, missing cert, wrong App ID)
  • Entitlement mismatches (capability in Xcode but not in profile)
  • Keychain issues in CI (locked keychain, errSecInternalComponent)
  • Archive/export failures (wrong export method, wrong cert type)

Code Signing CLI (skills/code-signing-ref.md):

  • security find-identity, security cms -D for profile inspection
  • codesign -d --entitlements for entitlement extraction
  • Certificate types, validity periods, per-account limits
  • fastlane match commands and Keychain management

Automated Scanning

Security audit → Launch security-privacy-scanner agent (scans for hardcoded credentials, insecure token storage, Privacy Manifest coverage gaps, ATS violations, missing ATT descriptions, missing export compliance, weak Keychain ACLs, and compound rejection risks; scores posture HARDENED/GAPS/VULNERABLE)

Anti-Rationalization

Thought Reality
"I'll store the token in UserDefaults for now" UserDefaults is a plist file readable by any process with file access. Keychain takes 10 lines. skills/keychain.md shows the pattern.
"My app doesn't need encryption" If you store any user data at rest, iOS file protection is free. skills/file-protection-ref.md covers protection levels.
"CommonCrypto works fine, no need to migrate" CommonCrypto is C API with manual memory management and no compile-time safety. CryptoKit prevents buffer overflows and key misuse.
"I'll just use automatic signing" Automatic signing works until CI, team scaling, or capability changes break it. Understand manual signing before you need it. skills/code-signing.md covers both.
"Passkeys are too new, passwords are fine" Passkeys are phishing-resistant and supported since iOS 16. The migration path supports both simultaneously. skills/passkeys.md shows combined flows.
"I'll regenerate all certificates to fix this" Regenerating revokes existing certs and breaks every teammate's build. Diagnose first. skills/code-signing-diag.md has the diagnostic flow.
"App Attest is overkill for my app" If your app has any server-verified purchase, promotion, or competitive feature, tampered clients will exploit it. skills/app-attest.md covers gradual rollout.
"I'll use @unchecked Sendable on my crypto wrapper" Hiding thread-safety issues from the compiler in security code is how data corruption happens. See axiom-concurrency for safe patterns.
"kSecAttrAccessibleAlways is fine" Deprecated since iOS 12. Items are accessible even when device is locked and unencrypted during backup. Use kSecAttrAccessibleAfterFirstUnlock at minimum.
"Prompt injection won't hit our little AI feature" Any external content reaching your model (a calendar invite, a feed post) is the attack surface, and the model picks the actions. skills/agentic-security.md has the threat model and the deterministic mitigations.

Example Invocations

User: "How do I store an auth token securely?" → Read: skills/keychain.md

User: "errSecDuplicateItem when saving to keychain" → Read: skills/keychain-diag.md

User: "What are the SecItem attribute constants?" → Read: skills/keychain-ref.md

User: "How do I encrypt user data with AES?" → Read: skills/cryptokit.md

User: "What's the CryptoKit API for ECDSA signing?" → Read: skills/cryptokit-ref.md

User: "How do I add passkey sign-in to my app?" → Read: skills/passkeys.md

User: "How do I verify my app hasn't been tampered with?" → Read: skills/app-attest.md

User: "How do I protect my app's AI agent from prompt injection?" → Read: skills/agentic-security.md

User: "Should my Siri intent work from the lock screen?" → Read: skills/agentic-security.md

User: "What NSFileProtection level should I use?" → Read: skills/file-protection-ref.md

User: "My build fails with 'No signing certificate found'" → Read: skills/code-signing-diag.md

User: "How do I set up fastlane match for CI?" → Read: skills/code-signing.md

User: "How do I inspect a provisioning profile?" → Read: skills/code-signing-ref.md

User: "Scan my code for security issues" → Invoke: security-privacy-scanner agent

Install via CLI
npx skills add https://github.com/CharlesWiltgen/Axiom --skill axiom-security
Repository Details
star Stars 977
call_split Forks 74
navigation Branch main
article Path SKILL.md
More from Creator
CharlesWiltgen
CharlesWiltgen Explore all skills →